With the right equipment (available commercially for less than $1,000), anyone could eavesdrop on the popular encryption program via “side channel” signals from smartphones.

Side-channel attacks, though relatively rare, are especially chilling: They extract sensitive information from signals created by electronic activity within computing devices—no malware needed.

“This is something that could be done at an airport to steal people’s information without arousing suspicion and makes the so-called ‘coffee shop attack’ must more realistic,” according to Milos Prvulovic, associate chair of Georgia Tech’s School of Computer Science.

He and colleague Alenka Zajic experimented by bugging two different Android phones using neighboring probes. In a real-life attack, signals could be received via antennas concealed under tables or hidden in nearby furniture.

“Once we got the attack to work, we were able to suggest a fix for it fairly quickly,” Prvulovic said. “Programmers need to understand that portions of the code that are working on secret bits need to be written in a very particular way to avoid having them leak.”

Georgia Tech’s proposed patch was adopted in versions of the OpenSSL software pushed out in May. Results of their research will be presented at the upcoming 27th USENIX Security Symposium in Baltimore.

The team is now looking into other programs with similar flaws; they plan to develop a program for automated analysis of security vulnerabilities.

“Our goal is to automate this process so it can be used on any code,” Zajic, an associate professor in Georgia Tech’s School of Electrical and Computer Engineering, said. “We’d like to be able to identify portions of code that could be leaky and require a fix. Right now, finding these portions requires considerable expertise and manual examination.”

By publicizing attacks like this, researchers are encouraging mobile manufacturers to shield side-channel emissions and improve the software running on their phones, tablets, and laptops.

“The designers of encryption software now have another issue that they need to take into account because continuous snooping over long periods of time would no longer be required to steal this information,” Prvulovic said.

“This is something that needs to be addressed at all levels. A combination of factors … make you safer,” he added. “You should not be paranoid about using your devices in public locations.”

You should, however, be cautious about accessing banking systems from a booth in Starbucks or plugging your device into unprotected USB chargers at the airport.